Simple and flexible firewall for Linux server
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

493 lines
13 KiB

  1. #!/bin/sh
  2. # minifirewall is shellscripts for easy firewalling on a standalone server
  3. # we used netfilter/iptables http://netfilter.org/ designed for recent Linux kernel
  4. # See https://gitea.evolix.org/evolix/minifirewall
  5. # Copyright (c) 2007-2015 Evolix
  6. # This program is free software; you can redistribute it and/or
  7. # modify it under the terms of the GNU General Public License
  8. # as published by the Free Software Foundation; either version 3
  9. # of the License.
  10. # Description
  11. # script for standalone server
  12. # Start or stop minifirewall
  13. #
  14. ### BEGIN INIT INFO
  15. # Provides: minfirewall
  16. # Required-Start:
  17. # Required-Stop:
  18. # Should-Start: $network $syslog $named
  19. # Should-Stop: $syslog
  20. # Default-Start: 2 3 4 5
  21. # Default-Stop: 0 1 6
  22. # Short-Description: start and stop the firewall
  23. # Description: Firewall designed for standalone server
  24. ### END INIT INFO
  25. DESC="minifirewall"
  26. NAME="minifirewall"
  27. # Variables configuration
  28. #########################
  29. # iptables paths
  30. IPT=/sbin/iptables
  31. IPT6=/sbin/ip6tables
  32. # TCP/IP variables
  33. LOOPBACK='127.0.0.0/8'
  34. CLASSA='10.0.0.0/8'
  35. CLASSB='172.16.0.0/12'
  36. CLASSC='192.168.0.0/16'
  37. CLASSD='224.0.0.0/4'
  38. CLASSE='240.0.0.0/5'
  39. ALL='0.0.0.0'
  40. BROAD='255.255.255.255'
  41. PORTSROOT='0:1023'
  42. PORTSUSER='1024:65535'
  43. chain_exists()
  44. {
  45. local chain_name="$1" ; shift
  46. [ $# -eq 1 ] && local intable="--table $1"
  47. iptables $intable -nL "$chain_name" >/dev/null 2>&1
  48. }
  49. # Configuration
  50. oldconfigfile="/etc/firewall.rc"
  51. configfile="/etc/default/minifirewall"
  52. IPV6=$(grep "IPV6=" /etc/default/minifirewall | awk -F '=' -F "'" '{print $2}')
  53. DOCKER=$(grep "DOCKER=" /etc/default/minifirewall | awk -F '=' -F "'" '{print $2}')
  54. INT=$(grep "INT=" /etc/default/minifirewall | awk -F '=' -F "'" '{print $2}')
  55. case "$1" in
  56. start)
  57. echo "Start IPTables rules..."
  58. # Stop and warn if error!
  59. set -e
  60. trap 'echo "ERROR in minifirewall configuration (fix it now!) or script manipulation (fix yourself)." ' INT TERM EXIT
  61. # sysctl network security settings
  62. ##################################
  63. # Don't answer to broadcast pings
  64. echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
  65. # Ignore bogus ICMP responses
  66. echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
  67. # Disable Source Routing
  68. for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
  69. echo 0 > $i
  70. done
  71. # Enable TCP SYN cookies to avoid TCP-SYN-FLOOD attacks
  72. # cf http://cr.yp.to/syncookies.html
  73. echo 1 > /proc/sys/net/ipv4/tcp_syncookies
  74. # Disable ICMP redirects
  75. for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do
  76. echo 0 > $i
  77. done
  78. for i in /proc/sys/net/ipv4/conf/*/send_redirects; do
  79. echo 0 > $i
  80. done
  81. # Enable Reverse Path filtering : verify if responses use same network interface
  82. for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
  83. echo 1 > $i
  84. done
  85. # log des paquets avec adresse incoherente
  86. for i in /proc/sys/net/ipv4/conf/*/log_martians; do
  87. echo 1 > $i
  88. done
  89. # IPTables configuration
  90. ########################
  91. $IPT -N LOG_DROP
  92. $IPT -A LOG_DROP -j LOG --log-prefix '[IPTABLES DROP] : '
  93. $IPT -A LOG_DROP -j DROP
  94. $IPT -N LOG_ACCEPT
  95. $IPT -A LOG_ACCEPT -j LOG --log-prefix '[IPTABLES ACCEPT] : '
  96. $IPT -A LOG_ACCEPT -j ACCEPT
  97. if test -f $oldconfigfile; then
  98. echo "$oldconfigfile is deprecated, rename to $configfile" >&2
  99. exit 1
  100. fi
  101. if ! test -f $configfile; then
  102. echo "$configfile does not exist" >&2
  103. exit 1
  104. fi
  105. tmpfile=`mktemp`
  106. . $configfile 2>$tmpfile >&2
  107. if [ -s $tmpfile ]; then
  108. echo "$configfile returns standard or error output (see below). Stopping." >&2
  109. cat $tmpfile
  110. exit 1
  111. fi
  112. rm $tmpfile
  113. # Trusted ip addresses
  114. $IPT -N ONLYTRUSTED
  115. $IPT -A ONLYTRUSTED -j LOG_DROP
  116. for x in $TRUSTEDIPS
  117. do
  118. $IPT -I ONLYTRUSTED -s $x -j ACCEPT
  119. done
  120. # Privilegied ip addresses
  121. # (trusted ip addresses *are* privilegied)
  122. $IPT -N ONLYPRIVILEGIED
  123. $IPT -A ONLYPRIVILEGIED -j ONLYTRUSTED
  124. for x in $PRIVILEGIEDIPS
  125. do
  126. $IPT -I ONLYPRIVILEGIED -s $x -j ACCEPT
  127. done
  128. # Chain for restrictions (blacklist IPs/ranges)
  129. $IPT -N NEEDRESTRICT
  130. # We allow all on loopback interface
  131. $IPT -A INPUT -i lo -j ACCEPT
  132. [ "$IPV6" != "off" ] && $IPT6 -A INPUT -i lo -j ACCEPT
  133. # if OUTPUTDROP
  134. $IPT -A OUTPUT -o lo -j ACCEPT
  135. [ "$IPV6" != "off" ] && $IPT6 -A OUTPUT -o lo -j ACCEPT
  136. # We avoid "martians" packets, typical when W32/Blaster virus
  137. # attacked windowsupdate.com and DNS was changed to 127.0.0.1
  138. # $IPT -t NAT -I PREROUTING -s $LOOPBACK -i ! lo -j DROP
  139. $IPT -A INPUT -s $LOOPBACK ! -i lo -j DROP
  140. if [ "$DOCKER" = "on" ]; then
  141. $IPT -N MINIFW-DOCKER-TRUSTED
  142. $IPT -A MINIFW-DOCKER-TRUSTED -j DROP
  143. $IPT -N MINIFW-DOCKER-PRIVILEGED
  144. $IPT -A MINIFW-DOCKER-PRIVILEGED -j MINIFW-DOCKER-TRUSTED
  145. $IPT -A MINIFW-DOCKER-PRIVILEGED -j RETURN
  146. $IPT -N MINIFW-DOCKER-PUB
  147. $IPT -A MINIFW-DOCKER-PUB -j MINIFW-DOCKER-PRIVILEGED
  148. $IPT -A MINIFW-DOCKER-PUB -j RETURN
  149. # Flush DOCKER-USER if exist, create it if absent
  150. if chain_exists 'DOCKER-USER'; then
  151. $IPT -F DOCKER-USER
  152. else
  153. $IPT -N DOCKER-USER
  154. fi;
  155. # Pipe new connection through MINIFW-DOCKER-PUB
  156. $IPT -A DOCKER-USER -i $INT -m state --state NEW -j MINIFW-DOCKER-PUB
  157. $IPT -A DOCKER-USER -j RETURN
  158. fi
  159. # Local services restrictions
  160. #############################
  161. # Allow services for $INTLAN (local server or local network)
  162. $IPT -A INPUT -s $INTLAN -j ACCEPT
  163. # Enable protection chain for sensible services
  164. for x in $SERVICESTCP1p
  165. do
  166. $IPT -A INPUT -p tcp --dport $x -j NEEDRESTRICT
  167. done
  168. for x in $SERVICESUDP1p
  169. do
  170. $IPT -A INPUT -p udp --dport $x -j NEEDRESTRICT
  171. done
  172. # Public service
  173. for x in $SERVICESTCP1
  174. do
  175. $IPT -A INPUT -p tcp --dport $x -j ACCEPT
  176. [ "$IPV6" != "off" ] && $IPT6 -A INPUT -p tcp --dport $x -j ACCEPT
  177. done
  178. for x in $SERVICESUDP1
  179. do
  180. $IPT -A INPUT -p udp --dport $x -j ACCEPT
  181. [ "$IPV6" != "off" ] && $IPT6 -A INPUT -p udp --dport $x -j ACCEPT
  182. done
  183. # Privilegied services
  184. for x in $SERVICESTCP2
  185. do
  186. $IPT -A INPUT -p tcp --dport $x -j ONLYPRIVILEGIED
  187. done
  188. for x in $SERVICESUDP2
  189. do
  190. $IPT -A INPUT -p udp --dport $x -j ONLYPRIVILEGIED
  191. done
  192. # Private services
  193. for x in $SERVICESTCP3
  194. do
  195. $IPT -A INPUT -p tcp --dport $x -j ONLYTRUSTED
  196. done
  197. for x in $SERVICESUDP3
  198. do
  199. $IPT -A INPUT -p udp --dport $x -j ONLYTRUSTED
  200. done
  201. if [ "$DOCKER" = "on" ]; then
  202. # Public services defined in SERVICESTCP1 & SERVICESUDP1
  203. for dstport in $SERVICESTCP1
  204. do
  205. $IPT -I MINIFW-DOCKER-PUB -p tcp --dport "$dstport" -j RETURN
  206. done
  207. for dstport in $SERVICESUDP1
  208. do
  209. $IPT -I MINIFW-DOCKER-PUB -p udp --dport "$dstport" -j RETURN
  210. done
  211. # Privileged services (accessible from privileged & trusted IPs)
  212. for dstport in $SERVICESTCP2
  213. do
  214. for srcip in $PRIVILEGIEDIPS
  215. do
  216. $IPT -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "$srcip" --dport "$dstport" -j RETURN
  217. done
  218. for srcip in $TRUSTEDIPS
  219. do
  220. $IPT -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "$srcip" --dport "$dstport" -j RETURN
  221. done
  222. done
  223. for dstport in $SERVICESUDP2
  224. do
  225. for srcip in $PRIVILEGIEDIPS
  226. do
  227. $IPT -I MINIFW-DOCKER-PRIVILEGED -p udp -s "$srcip" --dport "$dstport" -j RETURN
  228. done
  229. for srcip in $TRUSTEDIPS
  230. do
  231. $IPT -I MINIFW-DOCKER-PRIVILEGED -p udp -s "$srcip" --dport "$dstport" -j RETURN
  232. done
  233. done
  234. # Trusted services (accessible from trusted IPs)
  235. for dstport in $SERVICESTCP3
  236. do
  237. for srcip in $TRUSTEDIPS
  238. do
  239. $IPT -I MINIFW-DOCKER-TRUSTED -p tcp -s "$srcip" --dport "$dstport" -j RETURN
  240. done
  241. done
  242. for dstport in $SERVICESUDP3
  243. do
  244. for srcip in $TRUSTEDIPS
  245. do
  246. $IPT -I MINIFW-DOCKER-TRUSTED -p udp -s "$srcip" --dport "$dstport" -j RETURN
  247. done
  248. done
  249. fi
  250. # External services
  251. ###################
  252. # DNS authorizations
  253. for x in $DNSSERVEURS
  254. do
  255. $IPT -A INPUT -p tcp ! --syn --sport 53 --dport $PORTSUSER -s $x -j ACCEPT
  256. $IPT -A INPUT -p udp --sport 53 --dport $PORTSUSER -s $x -m state --state ESTABLISHED,RELATED -j ACCEPT
  257. $IPT -A OUTPUT -o $INT -p udp -d $x --dport 53 --match state --state NEW -j ACCEPT
  258. done
  259. # HTTP (TCP/80) authorizations
  260. for x in $HTTPSITES
  261. do
  262. $IPT -A INPUT -p tcp ! --syn --sport 80 --dport $PORTSUSER -s $x -j ACCEPT
  263. done
  264. # HTTPS (TCP/443) authorizations
  265. for x in $HTTPSSITES
  266. do
  267. $IPT -A INPUT -p tcp ! --syn --sport 443 --dport $PORTSUSER -s $x -j ACCEPT
  268. done
  269. # FTP (so complex protocol...) authorizations
  270. for x in $FTPSITES
  271. do
  272. # requests on Control connection
  273. $IPT -A INPUT -p tcp ! --syn --sport 21 --dport $PORTSUSER -s $x -j ACCEPT
  274. # FTP port-mode on Data Connection
  275. $IPT -A INPUT -p tcp --sport 20 --dport $PORTSUSER -s $x -j ACCEPT
  276. # FTP passive-mode on Data Connection
  277. # WARNING, this allow all connections on TCP ports > 1024
  278. $IPT -A INPUT -p tcp ! --syn --sport $PORTSUSER --dport $PORTSUSER -s $x -j ACCEPT
  279. done
  280. # SSH authorizations
  281. for x in $SSHOK
  282. do
  283. $IPT -A INPUT -p tcp ! --syn --sport 22 -s $x -j ACCEPT
  284. done
  285. # SMTP authorizations
  286. for x in $SMTPOK
  287. do
  288. $IPT -A INPUT -p tcp ! --syn --sport 25 --dport $PORTSUSER -s $x -j ACCEPT
  289. done
  290. # secure SMTP (TCP/465 et TCP/587) authorizations
  291. for x in $SMTPSECUREOK
  292. do
  293. $IPT -A INPUT -p tcp ! --syn --sport 465 --dport $PORTSUSER -s $x -j ACCEPT
  294. $IPT -A INPUT -p tcp ! --syn --sport 587 --dport $PORTSUSER -s $x -j ACCEPT
  295. done
  296. # NTP authorizations
  297. for x in $NTPOK
  298. do
  299. $IPT -A INPUT -p udp --sport 123 -s $x -j ACCEPT
  300. $IPT -A OUTPUT -o $INT -p udp -d $x --dport 123 --match state --state NEW -j ACCEPT
  301. done
  302. # Always allow ICMP
  303. $IPT -A INPUT -p icmp -j ACCEPT
  304. [ "$IPV6" != "off" ] && $IPT6 -A INPUT -p icmpv6 -j ACCEPT
  305. # IPTables policy
  306. #################
  307. # by default DROP INPUT packets
  308. $IPT -P INPUT DROP
  309. [ "$IPV6" != "off" ] && $IPT6 -P INPUT DROP
  310. # by default, no FORWARING (deprecated for Virtual Machines)
  311. #echo 0 > /proc/sys/net/ipv4/ip_forward
  312. #$IPT -P FORWARD DROP
  313. #$IPT6 -P FORWARD DROP
  314. # by default allow OUTPUT packets... but drop UDP packets (see OUTPUTDROP to drop OUTPUT packets)
  315. $IPT -P OUTPUT ACCEPT
  316. [ "$IPV6" != "off" ] && $IPT6 -P OUTPUT ACCEPT
  317. $IPT -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT
  318. $IPT -A OUTPUT -p udp --match state --state ESTABLISHED,RELATED -j ACCEPT
  319. $IPT -A OUTPUT -p udp -j DROP
  320. [ "$IPV6" != "off" ] && $IPT6 -A OUTPUT -o $INT -p udp --dport 33434:33523 --match state --state NEW -j ACCEPT
  321. [ "$IPV6" != "off" ] && $IPT6 -A OUTPUT -p udp --match state --state ESTABLISHED,RELATED -j ACCEPT
  322. [ "$IPV6" != "off" ] && $IPT6 -A OUTPUT -p udp -j DROP
  323. trap - INT TERM EXIT
  324. echo "...starting IPTables rules is now finish : OK"
  325. ;;
  326. stop)
  327. echo "Flush all rules and accept everything..."
  328. # Delete all rules
  329. $IPT -F INPUT
  330. $IPT -F OUTPUT
  331. $IPT -F LOG_DROP
  332. $IPT -F LOG_ACCEPT
  333. $IPT -F ONLYTRUSTED
  334. $IPT -F ONLYPRIVILEGIED
  335. $IPT -F NEEDRESTRICT
  336. [ "$DOCKER" = "off" ] && $IPT -t nat -F
  337. $IPT -t mangle -F
  338. [ "$IPV6" != "off" ] && $IPT6 -F INPUT
  339. [ "$IPV6" != "off" ] && $IPT6 -F OUTPUT
  340. if [ "$DOCKER" = "on" ]; then
  341. $IPT -F DOCKER-USER
  342. $IPT -A DOCKER-USER -j RETURN
  343. $IPT -F MINIFW-DOCKER-PUB
  344. $IPT -X MINIFW-DOCKER-PUB
  345. $IPT -F MINIFW-DOCKER-PRIVILEGED
  346. $IPT -X MINIFW-DOCKER-PRIVILEGED
  347. $IPT -F MINIFW-DOCKER-TRUSTED
  348. $IPT -X MINIFW-DOCKER-TRUSTED
  349. fi
  350. # Accept all
  351. $IPT -P INPUT ACCEPT
  352. $IPT -P OUTPUT ACCEPT
  353. [ "$IPV6" != "off" ] && $IPT6 -P INPUT ACCEPT
  354. [ "$IPV6" != "off" ] && $IPT6 -P OUTPUT ACCEPT
  355. #$IPT -P FORWARD ACCEPT
  356. #$IPT -t nat -P PREROUTING ACCEPT
  357. #$IPT -t nat -P POSTROUTING ACCEPT
  358. # Delete non-standard chains
  359. $IPT -X LOG_DROP
  360. $IPT -X LOG_ACCEPT
  361. $IPT -X ONLYPRIVILEGIED
  362. $IPT -X ONLYTRUSTED
  363. $IPT -X NEEDRESTRICT
  364. echo "...flushing IPTables rules is now finish : OK"
  365. ;;
  366. status)
  367. $IPT -L -n -v --line-numbers
  368. $IPT -t nat -L -n -v --line-numbers
  369. $IPT -t mangle -L -n -v --line-numbers
  370. $IPT6 -L -n -v --line-numbers
  371. $IPT6 -t mangle -L -n -v --line-numbers
  372. ;;
  373. reset)
  374. echo "Reset all IPTables counters..."
  375. $IPT -Z
  376. $IPT -t nat -Z
  377. $IPT -t mangle -Z
  378. [ "$IPV6" != "off" ] && $IPT6 -Z
  379. [ "$IPV6" != "off" ] && $IPT6 -t mangle -Z
  380. echo "...reseting IPTables counters is now finish : OK"
  381. ;;
  382. restart)
  383. $0 stop
  384. $0 start
  385. ;;
  386. *)
  387. echo "Usage: $0 {start|stop|restart|status|reset|squid}"
  388. exit 1
  389. esac
  390. exit 0